Hey guys

Hope you are all well!

I have a question I was hoping you might be able to give me some pointers on.

I currently have 8 x 1142N Cisco Aironet units scattered about the building (PoE) setup via dot1q / vlan tagging with 2 vlans, one for guests / byod and the other for staff with a default gateway of the firewall.

Now I want to add a third SSID but this one must have its own gw and vlan that is not the existing firewall gw, it also needs to have the following authentication properties:

MAC authentication - manually added (to be scripted later)
Username + pass (AD can be used but there is no wireless controller)
Radius (see above)
DHCP
Dynamic DNS (I'm thinking BIND here)
Firewall (this is covered, the firewall will be the default gateway)
Client / Server certificates

This must be of high security, I was thinking TLS-EAP but to be honest I'm not sure what it is the accepted norm nowadays for this type of solution, I cannot spend any additional cash so therefore the Radius server that will provide the brunt of the security will need to be freeradius - I'm struggling to find any guides though?

What do you guys think? any tips on how you would drop this in? any help would be much appreciated

Is TLS-EAP sufficient and if so can it be done using freeradius + cisco ios without a wireless controller, I cannot buy any additional equipment. The devices that will be connecting are quite diverse, laptops, android phones / tables and iphone / ipads.

Thanks